Follow examples how to configure settings in ProcessMaker Platform.
Loading...
Loading...
Configure SSO SAML authentication using Microsoft Entra ID as the Identity Provider.
Security Assertion Markup Language (SAML) is an XML-oriented open-standard used to exchange identity information between an identity provider (IdP) and ProcessMaker Platform. Configure ProcessMaker Platform to use SSO SAML authentication with the identity provider Microsoft Entra ID (Microsoft Azure Active Directory).
It is recommended to create and configure an enterprise application in Microsoft Entra ID concurrently with configuring ProcessMaker Platform SAML authentication because each configuration procedure requires values from the other.
Follow these steps to add an enterprise application in Microsoft Entra ID:
Add ​a Microsoft Entra ID enterprise application. The Overview enterprise application page displays.
Click the Set up single sign on option. The Single sign-on page displays.
Click the SAML option. The SAML-based Sign-on page displays.
From the Basic SAML Configuration section, click the Edit link. The Basic SAML Configuration page displays.
Pause this procedure, and then begin configuring the ProcessMaker Platform SAML authentication until the SSO - SAML settings display.
From the Identifier (Entity ID) setting, click the Add identifier link to add the ProcessMaker Platform SAML identifier. Get this value from the Entity ID (Metadata) setting when configuring the ProcessMaker Platform SAML authentication (step 4 of that procedure).
From the Reply URL (Assertion Consumer Service URL) setting, click the Add reply URL link to add the ProcessMaker Platform SAML reply URL. Get this value from the ACS Url setting, when configuring the ProcessMaker Platform SAML authentication (step 3 of that procedure).
In the Logout Url (Optional) setting, enter the ProcessMaker Platform SAML logout URL. Get this value from the Single Logout URL setting, when configuring the ProcessMaker Platform SAML authentication (step 5 of that procedure).
On the top left of the screen, click the Save icon to save the basic SAML configuration. The SAML-based Sign-on page returns.
From the Attributes & Claims section, click the Edit link. The Attributes & Claims page displays.
From the Required claim section, click the Unique User Identifier (Name ID) row to match the claim name with the ProcessMaker Platform format. The Manage claim page displays.
Do the following:
Clear values in the Namespace setting.
In the Name setting, copy the value from the Name ID Format setting when configuring the ProcessMaker Platform SAML authentication (step 16 of that procedure).
On the top left, click the Save button. The Attributes & Claims page returns.
In the Additional claims section, match SAML attributes from the Variable Map setting when configuring the ProcessMaker Platform SAML authentication (step 14 of that procedure).
In the breadcrumbs, return to the SAML-based Sign-on settings.
From the SAML Certificates section, locate the Certificate (Base64) setting, and then click its Download link. Copy the content of the downloaded certificate file to the Public Certificate setting when configuring the ProcessMaker Platform SAML authentication.
From the Set up section, copy the Login URL value to the SSO Endpoint setting when configuring the ProcessMaker Platform SAML authentication (step 6 in that procedure).
From the Set up section, copy the Azure AD Identifier value to the SSO Identifier setting when configuring the ProcessMaker Platform SAML authentication (step 8 of that procedure).
From the Set up section, copy the Logout URL value to the SLO Endpoint setting when configuring the ProcessMaker Platform SAML authentication (step 10 of that procedure).
Now your Microsoft Entra admin center has configured the ProcessMaker Platform SAML application. You need to finish configuring the ProcessMaker Platform SAML authentication to start authenticating ProcessMaker Platform through SAML with Microsoft Entra ID.
The Auth package must be installed.
Furthermore, your user account or group membership must have the "Settings: Update Settings" permission to edit SSO SAML settings unless your user account has the Make this user a Super Admin setting selected.
See the Settings permissions or ask your Administrator for assistance.
Enhance security for your ProcessMaker Platform instance by following these best practices. Among these best practices are to require all ProcessMaker users to log on to your ProcessMaker Platform instance via Single Sign-On (SSO), OAuth, OKTA and/or two-factor authentication.
Follow these steps to configure SAML SSO settings with Microsoft Entra ID as necessary:
​View your SSO Settings. From the list of SSO identity providers, select the SAML option. The SSO - SAML tab displays.
Click the SSO - SAML tab. The SSO - SAML settings display.
Enter the identity provider URL from which ProcessMaker retrieves the authentication response and validates it when establishing the SSO session. Get this value from the Login URL value when configuring the Microsoft Entra ID provider (step 15 of that procedure).
Enter the URL that references the SAML XML file for your identity provider (IdP). Get this value from the Azure AD Identifier value when configuring the Microsoft Entra ID provider (step 16 of that procedure).
Enter the logout URL. Get this value from the Logout URL value when configuring the Microsoft Entra ID provider (step 17 of that procedure).
Enter the identity provider's certificate fingerprint by pasting it into this setting. Ensure to include the -----BEGIN CERTIFICATE----- header. Get this value from the SAML Certificates setting when configuring the Microsoft Entra ID provider (step 14 of that procedure).
Copy each SAML Attribute value to match with the Additional claims settings when configuring the Microsoft Entra ID provider (step 12 of that procedure).
Click the Copy icon for the Name ID Format setting to copy this value in the Required claim setting when configuring the Microsoft Entra ID provider (step 11 of that procedure).
Leave other settings as they are.
Use the copy icon to copy the URL from the ACS Url setting, and then provide it to the Add reply URL setting when configuring the Microsoft Entra ID provider (step 7 of that procedure).
Use the copy icon to copy the URL from the Entity ID (Metadata) setting, and then provide it to the Add identifier setting when configuring the Microsoft Entra ID provider (step 6 of that procedure).
Use the copy icon to copy the URL from the Single Logout URL setting, and then provide it to the Logout Url (Optional) setting when configuring the Microsoft Entra ID provider (step 8 of that procedure).
Click the Edit iconfor the SSO Endpoint setting. The SSO Endpoint screen displays.
Click the Edit iconfor the SSO Identifier setting. The SSO Identifier screen displays.
Click the Edit iconfor the SLO Endpoint setting. The SLO Endpoint screen displays.
Click the Edit iconfor the Public Certificate setting. The Public Certificate screen displays.
Click the Edit iconfor the Variable Map setting. The Variable Map screen displays default values.
Configure LDAP settings for Microsoft Active Directory.
The LDAP for Microsoft Active Directory configuration allows ProcessMaker Platform users to log on by authenticating directly into a Microsoft Active Directory server.
Consider the following:
For security reasons, do not use anonymous connections.
ProcessMaker Platform does not support sub-groups or sub-departments. Therefore, user groups cannot be organized hierarchically, and nested groups or departments can not be created.
Follow these steps to configure LDAP for Microsoft Active Directory:
View your LDAP Settings. The LDAP tab displays.
Enable the Enabled toggle key to always synchronize your Active Directory whenever your hierarchy of entities changes to keep ProcessMaker Platform synchronized.
From the Synchronization Schedule setting, set at which interval to synchronize with your Active Directory server. Consider that when setting this interval, the more users, groups, and/or departments your Active Directory server contains, the more time ProcessMaker Platform requires to synchronize your Active Directory server. Follow these steps:
In the Quantity setting, enter how many times to synchronize for each configured frequency. 1 is the default setting.
In the Frequency setting, select the frequency in which to synchronize from the following options:
Minutes (default setting)
Hours
Days
Click Save. The following message displays: The setting was updated.
From the Type setting, select to which LDAP server type ProcessMaker Platform connects to synchronize as follows:
Select the Active Directory option.
Click Save. The following message displays: The setting was updated.
From the Server Address setting and the Server Port setting configure as follows:
Enter the Active Directory IP address or hostname to which ProcessMaker Platform synchronizes.
Click Save. The following message displays: The setting was updated.
Enter the port number the Active Directory server uses. By default, Active Directory uses port 389.
Click Save. The following message displays: The setting was updated.
Active Directory uses Transport Security Layer (TLS) to connect to the Authentication Source. Then enable the TLS toggle key. The following message displays: The setting was updated.
From the Certificate setting, upload the Active Directory certificate file that will be stored on ProcessMaker Platform. For more information about how to get your Active Directory certificate, see Obtain an Active Directory certificate.
Active Directory uses distinguished names (dn) to identify users, groups, and other types of entities.
The distinguished name describes entities starting from the specific and moving to the general in the hierarchy of entities. For example: cn=John Doe,ou=managers,ou=regionalbranch,dc=acme,dc=com
Then, configure distinguished names as follows:
Enter each DC of the Base DN following the guidelines above.
Click Save. The following message displays: The setting was updated.
Enter Active Directory credentials as follows:
Enter the username to log on to the Active Directory server.
Click Save. The following message displays: The setting was updated.
Enter the password to log on to the Active Directory server.
Click Save. The following message displays: The setting was updated.
Select which groups and departments to synchronize as ProcessMaker Platform groups. Ensure to have the correct previous settings to select groups and departments:
Enable the toggle key for each Active Directory group to synchronize as ProcessMaker Platform groups.
Click Save. The following message displays: The setting was updated.
Enable the toggle key for each Active Directory department to synchronize as ProcessMaker Platform groups.
Click Save. The following message displays: The setting was updated.
From the User Identifier setting, enter the Active Directory parameter used to identify users as follows:
Enter samaccountname
that identifies Active Directory users in ProcessMaker Platform. If unsure, enter *
. Synchronization is slower because all object classes are evaluated.
Click Save. The following message displays: The setting was updated.
From the Group Identifier setting, enter the Active Directory parameter used to identify groups as follows:
Enter cn
that identifies Active Directory groups in ProcessMaker Platform. If unsure, enter *
. Synchronization is slower because all object classes are evaluated.
Click Save. The following message displays: The setting was updated.
From the Variable Map setting, map ProcessMaker Platform user properties to Active Directory attributes as follows:
Follow these guidelines to map a ProcessMaker Platform user properties to an Active Directory attribute:
Click the +Add button. A new row displays the existing mapped user properties.
In the ProcessMaker Property setting, enter the ProcessMaker Platform user property to which to map the Active Directory attribute. Select the properties in the following order:
firstname
lastname
username
In the LDAP Attribute setting, enter the Active Directory attribute from which to map to the ProcessMaker Platform user property. Enter attributes in the following order:
givenname
sn
samaccountname
Click Save. The following message displays: The setting was updated.
From the Chunk Size For User Import setting, enter the number of users that will be imported simultaneously as follows:
Enter the number of users. It is recommended 500 as the maximum.
Click Save. The following message displays: The setting was updated.
Click the Edit iconfor the Synchronization Schedule setting. The Synchronization Schedule screen displays.
Click the Edit iconfor the Type setting. The Type screen displays.
Click the Edit iconfor the Server Address setting. The Server Address screen displays.
Click the Edit iconfor the Server Port setting. The Server Port screen displays.
Click the Edit iconfor the Base DN setting. The Base DN screen displays.
Click the Edit iconfor the Username setting. The Username screen displays.
Click the Edit iconfor the Password setting. The Password screen displays.
Click the Edit iconfor the Groups To Import setting. The Groups To Import screen displays the Active Directory groups on your Active Directory server. If your Active Directory server contains no Active Directory groups, this screen displays no groups with which to synchronize.
Click the Edit iconfor the Departments to Import setting. The Departments To Import screen displays the Active Directory departments on your Active Directory server. If your Active Directory server contains no Active Directory departments, this screen displays no departments with which to synchronize.
Click the Edit iconfor the User Identifier setting. The User Identifier screen displays.
Click the Edit iconfor the Group Identifier setting. The User Identifier screen displays.
Click the Edit iconfor the Variable Map setting. The Variable Map screen displays.
Click the Edit iconfor the Chunk Size For User Import setting. The Chunk Size For User Import screen displays.